We are using camunda-bpm-spring-boot-starter and have managed to configure SSO via an external identity provider (IdP).
We are able to successfully deploy a process and start an instance of it using REST APIs.
Every new task creation creates an authorization in the DB for that task based on task’s assignee.
But, in our case camunda is not able to filter out users based on this authorization and it allows any user to complete any other user’s task. After looking at the ProcessEngineAuthenticationFilter plugin, we are adding the authentication to the rest api via this:
EngineUtil.lookupProcessEngine(DEFAULT_PROCESS_ENGINE_NAME)
.getIdentityService()
.setAuthentication(accessToken.getPreferredUsername(),
((ArrayList<String>) accessToken.getOtherClaims().get(DEFAULT_GROUP_CLAIM_ID)));
Are we missing out something?